New Data Security and Protection Requirements have been published that require all health and care organisations to take steps to implement the ten data security standards recommended by the National Data Guardian by April 2018. These requirements have been developed in response to earlier ransomware attacks, in particular the WannaCry cyber attack in May 2017.
So, who do these data security requirements apply to?
All health and care organisations – from providers to general practices and those operating in both the NHS and private sectors. The document states that NHS providers contracted to provide services under the NHS standard contract and general practices contracted to deliver primary care essential services under the NHS standard GMS, PMS or APMS contracts will be required to meet the new data security standards.
Interestingly, for social care providers who do not deliver care through the NHS standard contract, there are no obligations to implement the requirements in this financial year. However, it is “highly recommended” that social care organisations follow the requirements in readiness for the new framework from April 2018.
What are the data security requirements?
Part A sets out the requirements (or Leadership obligations) for all health and care organisations and Part B sets them out in respect of GP practices.
Each cover three main areas: people, processes and technology and are quite similar.
Key points include:
People: There must be a named senior executive, partner or board member responsible for data and cyber security in each organisation. Other requirements include reaching level two on the current Information Governance Toolkit before it is replaced with the new Data Security and Protection Toolkit and completing the General Data Protection Regulation Checklist which they will be required to comply with from May 2018. It is also required that staff training is provided annually including new sections on cyber security.
Processes: There is requirement for organisations to act on CareCERT advisories, confirm within 48 hours that plans are in place to act on High Severity CareCERT advisories and evidence this through CareCERT Collect. It also requires a primary point of contact for each organisation to receive and coordinate each organisation’s response to CareCERT advisories. Staff are also required to report data security incidents and near misses.
Technology: For those healthcare organisations running unsupported systems, the guidance requires organisations to identify and have a plan in place by April 2018 to remove, replace or actively mitigate or manage the risks associated with unsupported systems. In addition, there is an obligation to undertake an on-site cyber and data security assessment and to act on the outcome of that assessment. Stricter supplier certification has been introduced and a list of certification frameworks is included in the document.
How will the NHS check compliance with implementing the data security standards?
The new Data Security and Protection Toolkit which will replace the Information Governance Toolkit from April 2018. The new toolkit is currently being tested across various different health and care organisations. There is also a call for NHS organisations to look at the National Cyber Security Centre’s ten steps to cyber security and NHS Digital’s Data Security Good Practice Guides to increase understanding of data and cyber security.
When considering data security as part of the ‘well led’ element of their inspections CQC will be looking at how organisations are assuring themselves that the steps set out in the guidance are being taken.
At the end of 2017/18 NHS Improvement will ask NHS Providers to confirm that they have implemented the requirements. In the long term, NHSI will ensure that data security is included in their oversight arrangements.
CCGs also have a role here in respect of ensuring the Leadership obligations for GP practices are complied with.
Five key dates requiring action by health and care organisations
November 2017: New Data Security and Protection Toolkit replaces the Information Governance Toolkit which will be piloted with users.
February 2018: All organisations will have access to the new Data Security and Protection Toolkit from January 2018 to familiarise themselves with the approach to measuring implementation and compliance, including how they might apply it to their organisation from April 2018.
April 2018: Further guidance will be published to support organisations to use the new Data Security and Protection Toolkit.
April 2018: All organisations will now be required to complete the new Data Security and Protection Toolkit.
May 2018: The EU General Data Protection Regulation, and Security of Network and Information Systems Directive, come into force. This will increase the legislative data security and protection requirements on health and care organisations.
Do get in touch if you require support with implementation of the standards and or training – we have a friendly team of health information governance experts.